trusts: add support for one-way shared secret trust
    
    Refactor ipa-sam code to generate principals with additional POSIX
    information so that FreeIPA is capable to establish trust when using a
    shared secret from Active Directory domain controller side.
    
    Trust verification process from Samba AD DC or Microsoft Windows AD DC
    side requires us to have a working local TDO object with POSIX
    attributes so that smbd would be able to map incoming authenticated
    Kerberos principal for the TDO to a local POSIX account.
    
    Note that FreeIPA stores TDO objects in a subtree of cn=trusts,$SUFFIX
    and thus SSSD is not able to see these POSIX accounts unless
    specifically instructed to do so via multiple search bases. The support
    for automatically enabling cn=trusts,$SUFFIX search base in IPA server
    mode was added to SSSD 1.16.3 and 2.1.0 with the commit
    https://pagure.io/SSSD/sssd/c/14faec9cd9437ef116ae054412d25ec2e820e409
    
    Fixes: https://pagure.io/freeipa/issue/6077
    Reviewed-By: Christian Heimes <cheimes@redhat.com>